OpenOffice.org data leakage vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

OpenOffice.org 3.3 and 3.4 Beta, on all platforms.

Earlier versions may be also affected.

Description:

Description: An XML External Entity (XXE) attack is possible in the above versions of OpenOffice.org. This vulnerability exploits the way in
which external entities are processed in certain XML components of ODF documents. By crafting an external entity to refer to other local file system
resources, an attacker would be able to inject contents of other locally- accessible files into the ODF document, without the user's knowledge or permission. Data leakage then becomes possible when that document is later distributed to other parties.

Mitigation

OpenOffice.org 3.3.0 and 3.4 beta users can patch their installation with the following patches. Download, unzip and follow the instructions in the enclosed readme.pdf file.

Linux and other platforms should consult their distro or OS vendor for patch instructions.

This vulnerability is also fixed in Apache OpenOffice 3.4 dev snapshots since March 1st, 2012.

Verifying the Integrity of Downloaded Files

We have provided MD5 and SHA1 hashes of these patches, as well as a detached digital signature, for those who wish to verify the integrity of these files.

The MD5 and SHA1 hashes can be verified using Unix tools like sha1, sha1sum or md5sum.

The PGP signatures can be verified using PGP or GPG. First download the KEYS file, as well as the asc signature file for the particular patch from above. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures as follows:

Unofficial translations:

Apache and the Apache feather logo are trademarks of The Apache Software Foundation.
OpenOffice, OpenOffice.org and the seagull logo are registered trademarks of The Apache Software Foundation.
Other names appearing on the site may be trademarks of their respective owners.